

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>桶策略 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="RGW 动态的桶索引重分片" href="../dynamicresharding/" />
    <link rel="prev" title="加密" href="../encryption/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Ceph 对象网关</a> &raquo;</li>
        
      <li>桶策略</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/radosgw/bucketpolicy.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">Data caching and CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">KMIP Integration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">桶策略</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id2">创建和删除</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id3">限制</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id4">与桶相关的操作</a></li>
<li class="toctree-l4"><a class="reference internal" href="#tag-policy">与对象相关的操作</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#swift">Swift</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="id1">
<h1>桶策略<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h1>
<div class="versionadded">
<p><span class="versionmodified added">New in version Luminous.</span></p>
</div>
<p>Ceph 对象网关支持部分 Amazon S3 桶策略语义。</p>
<div class="section" id="id2">
<h2>创建和删除<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<p>桶策略可通过标准的 S3 操作管理，而不是用 radosgw-admin 。</p>
<p>比如，用 s3cmd 可以这样设置或删除策略：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ cat &gt; examplepol
{
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [{
    &quot;Effect&quot;: &quot;Allow&quot;,
    &quot;Principal&quot;: {&quot;AWS&quot;: [&quot;arn:aws:iam::usfolks:user/fred:subuser&quot;]},
    &quot;Action&quot;: &quot;s3:PutObjectAcl&quot;,
    &quot;Resource&quot;: [
      &quot;arn:aws:s3:::happybucket/*&quot;
    ]
  }]
}

$ s3cmd setpolicy examplepol s3://happybucket
$ s3cmd delpolicy s3://happybucket
</pre></div>
</div>
</div>
<div class="section" id="id3">
<h2>限制<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h2>
<p>现在，我们只支持如下操作：</p>
<ul class="simple">
<li><p>s3:AbortMultipartUpload</p></li>
<li><p>s3:CreateBucket</p></li>
<li><p>s3:DeleteBucketPolicy</p></li>
<li><p>s3:DeleteBucket</p></li>
<li><p>s3:DeleteBucketWebsite</p></li>
<li><p>s3:DeleteObject</p></li>
<li><p>s3:DeleteObjectVersion</p></li>
<li><p>s3:DeleteReplicationConfiguration</p></li>
<li><p>s3:GetAccelerateConfiguration</p></li>
<li><p>s3:GetBucketAcl</p></li>
<li><p>s3:GetBucketCORS</p></li>
<li><p>s3:GetBucketLocation</p></li>
<li><p>s3:GetBucketLogging</p></li>
<li><p>s3:GetBucketNotification</p></li>
<li><p>s3:GetBucketPolicy</p></li>
<li><p>s3:GetBucketRequestPayment</p></li>
<li><p>s3:GetBucketTagging</p></li>
<li><p>s3:GetBucketVersioning</p></li>
<li><p>s3:GetBucketWebsite</p></li>
<li><p>s3:GetLifecycleConfiguration</p></li>
<li><p>s3:GetObjectAcl</p></li>
<li><p>s3:GetObject</p></li>
<li><p>s3:GetObjectTorrent</p></li>
<li><p>s3:GetObjectVersionAcl</p></li>
<li><p>s3:GetObjectVersion</p></li>
<li><p>s3:GetObjectVersionTorrent</p></li>
<li><p>s3:GetReplicationConfiguration</p></li>
<li><p>s3:ListAllMyBuckets</p></li>
<li><p>s3:ListBucketMultipartUploads</p></li>
<li><p>s3:ListBucket</p></li>
<li><p>s3:ListBucketVersions</p></li>
<li><p>s3:ListMultipartUploadParts</p></li>
<li><p>s3:PutAccelerateConfiguration</p></li>
<li><p>s3:PutBucketAcl</p></li>
<li><p>s3:PutBucketCORS</p></li>
<li><p>s3:PutBucketLogging</p></li>
<li><p>s3:PutBucketNotification</p></li>
<li><p>s3:PutBucketPolicy</p></li>
<li><p>s3:PutBucketRequestPayment</p></li>
<li><p>s3:PutBucketTagging</p></li>
<li><p>s3:PutBucketVersioning</p></li>
<li><p>s3:PutBucketWebsite</p></li>
<li><p>s3:PutLifecycleConfiguration</p></li>
<li><p>s3:PutObjectAcl</p></li>
<li><p>s3:PutObject</p></li>
<li><p>s3:PutObjectVersionAcl</p></li>
<li><p>s3:PutReplicationConfiguration</p></li>
<li><p>s3:RestoreObject</p></li>
</ul>
<p>还不支持对用户、组或角色设置策略。</p>
<p>我们用 RGW “租户”标识符代替 Amazon 的 12 位帐户 ID 。未来，我们会允许你给租户分配帐户 ID ，但是目前，如果你想使用跨 AWS S3
和 RGW S3 的策略，在创建用户时还只能把 Amazon 帐户 ID 当作租户
ID 用。</p>
<p>在 AWS 下，所有租户共享同一个命名空间，而 RGW 会给每个租户分配它自己的桶命名空间。未来版本可能会增加一个选项来启用像 AWS 一样的“扁平”桶命名空间。在现有版本中，通过 S3 接口访问另一个租户的桶可以按 “tenant:bucket” 格式指定。</p>
<p>在 AWS 中，桶策略可以授权让另一个帐户访问，然后那个帐户的所有者又可以转手授权给他的用户。正因为我们现在还不支持用户、角色和组权限，所以帐户所有者现在还只能直接授权给独立用户，而且给一个帐户授予访问权限的同时也授权给了这个帐户内的所有用户们。</p>
<p>桶变量现在还不支持字符串插值。</p>
<p>对于所有请求，我们支持的条件关键字有：</p>
<ul class="simple">
<li><p>aws:CurrentTime</p></li>
<li><p>aws:EpochTime</p></li>
<li><p>aws:PrincipalType</p></li>
<li><p>aws:Referer</p></li>
<li><p>aws:SecureTransport</p></li>
<li><p>aws:SourceIp</p></li>
<li><p>aws:UserAgent</p></li>
<li><p>aws:username</p></li>
</ul>
<p>对于桶和对象请求，我们支持特定的 s3 条件关键字。</p>
<div class="versionadded">
<p><span class="versionmodified added">New in version Mimic.</span></p>
</div>
<div class="section" id="id4">
<h3>与桶相关的操作<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h3>
<table class="docutils align-default">
<colgroup>
<col style="width: 38%" />
<col style="width: 36%" />
<col style="width: 26%" />
</colgroup>
<tbody>
<tr class="row-odd"><td><p>权限</p></td>
<td><p>条件关键字</p></td>
<td><p>注释</p></td>
</tr>
<tr class="row-even"><td><p>s3:createBucket</p></td>
<td><p>s3:x-amz-acl
s3:x-amz-grant-&lt;perm&gt;
where perm is one of
read/write/read-acp
write-acp/
full-control</p></td>
<td></td>
</tr>
<tr class="row-odd"><td rowspan="3"><p>s3:ListBucket &amp;</p>
<p>s3:ListBucketVersions</p>
</td>
<td><p>s3:prefix</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:delimiter</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:max-keys</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:PutBucketAcl</p></td>
<td><p>s3:x-amz-acl
s3:x-amz-grant-&lt;perm&gt;</p></td>
<td></td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="tag-policy">
<span id="id5"></span><h3>与对象相关的操作<a class="headerlink" href="#tag-policy" title="Permalink to this headline">¶</a></h3>
<table class="docutils align-default">
<colgroup>
<col style="width: 31%" />
<col style="width: 49%" />
<col style="width: 20%" />
</colgroup>
<tbody>
<tr class="row-odd"><td><p>权限</p></td>
<td><p>条件关键字</p></td>
<td><p>注释</p></td>
</tr>
<tr class="row-even"><td rowspan="6"><p>s3:PutObject</p></td>
<td><p>s3:x-amz-acl &amp; s3:x-amz-grant-&lt;perm&gt;</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:x-amz-copy-source</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:x-amz-server-side-encryption</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:x-amz-server-side-encryption-aws-kms-key-id</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:x-amz-metadata-directive</p></td>
<td><p>PUT &amp; COPY to
overwrite/preserve
metadata in COPY
requests</p></td>
</tr>
<tr class="row-odd"><td><p>s3:RequestObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-even"><td rowspan="2"><p>s3:PutObjectAcl
s3:PutObjectVersionAcl</p></td>
<td><p>s3:x-amz-acl &amp; s3-amz-grant-&lt;perm&gt;</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-even"><td rowspan="2"><p>s3:PutObjectTagging &amp;
s3:PutObjectVersionTagging</p></td>
<td><p>s3:RequestObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:GetObject &amp;
s3:GetObjectVersion</p></td>
<td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:GetObjectAcl &amp;
s3:GetObjectVersionAcl</p></td>
<td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>s3:GetObjectTagging &amp;
s3:GetObjectVersionTagging</p></td>
<td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>s3:DeleteObjectTagging &amp;
s3:DeleteObjectVersionTagging</p></td>
<td><p>s3:ExistingObjectTag/&lt;tag-key&gt;</p></td>
<td></td>
</tr>
</tbody>
</table>
<p>随着我们与最近重写过的认证、授权子系统的对接，很快会支持更多。</p>
</div>
</div>
<div class="section" id="swift">
<h2>Swift<a class="headerlink" href="#swift" title="Permalink to this headline">¶</a></h2>
<p>在 Swift 下还不能设置策略，但是通过 S3 设置的桶策略一样会影响 Swift 。</p>
<p>Swift 凭证与策略中定义的 Principal 匹配时，所用的方法因正在使用的后端而异。</p>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../dynamicresharding/" class="btn btn-neutral float-right" title="RGW 动态的桶索引重分片" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../encryption/" class="btn btn-neutral float-left" title="加密" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>